This isn’t a sales pitch, I DO NOT SELL INSURANCE. I’ve written this blog to support a couple of clients who are considering cyber security insurance.
In the digital economy, data is gold, and its value undeniable. The loss of it for many businesses is catastrophic when considering the financial sanctions, loss of reputation and risk of legal action. The fear of which has paved the way for well-marketed insurance policies which promise the world but do not always deliver upon those promises. But here’s the thing, it’s not their fault, it’s yours.
What is it?
From a very generalist point of view, Cyber insurance generally covers the losses relating to damage to, or loss of information from, IT systems and networks. Many will be shocked to hear that cyber insurance policies have been around for a little over a decade already but have only on the last several years gained significant attention. While many forms exist, three of the more common types of Cyber Liability Insurance Coverage (CLIC) are Cyber Security, Cyber Liability and Technology Errors and Omissions Insurance. The first two deal with risks pertaining to Data Breach. The latter focus on businesses which provide technology products and services.
What is it not?
There’s the elephant in the room, so I’ll address it to ensure we are 100% clear. Cyber insurance policies are NOT a preventative measure and WILL NOT, in their own right, mitigate the risk of an attack. Business owners, some advice if I may, Stop placing reliance on insurance policies!!! It’s 2019 and I still on occasion hear the immortal words ‘that’s what I have insurance for’ leaving a business owners lips… Respectfully, wrong answer! That’s a head-in-the-sand approach to security and likely to place you in hot water, with or indeed without an insurance policy in place.
What to policies include?
The only way to truly ascertain the value of the policy is by interrogating it. Insurance providers offer differing products of differing composition and levels of protection. There is a vein of thought that you ultimately get what you pay for, but it doesn’t necessarily mean that a more expensive policy will meet your needs. The only way to be sure is to dig into the detail.
Conscious that this is a blog, and therefore not exhaustive, what are the things you should be looking for in a policy:
Consider, business interruption loss. In the event of catastrophic IT loss of service or cyber attack interrupting normal business operations, insurers will cover lost income during this period. Furthermore, many will also recognise any increased costs in the wake of the incident. For many businesses, this component is essential as few companies can operate at limited capacity for considerable periods and survive. Recovering to your normal operating capacity ASAP is critical. When you look into this make sure it covers supply chain interruptions as some insurance companies may not include this as standard and may not pay out.
Privacy breach cover
Watch out for this one, it can come in singular form or be split into two different sections; Privacy Liability Protection and Costs of Breach. Both highly important due to the legal and regulatory scrutiny they provoke.
Privacy liability cover
Protects your business against claims privacy infringement and associated legal costs. In general, it will cover settlements to claimants but importantly, your legal fees that it is likely to incur. Businesses that store personal information may want to give this one serious thought, and take note of your cover amount – legal bills add up quickly!
Cost of Breach
Is more self-explanatory in that it deals with the expenses you incur dealing with the breach.
This one is on the rise. Criminals have clicked onto the fact that they don’t necessarily need to steal your data when they can simply deny you access to it and charge you a fee to release it. The policy should look to cover the demand amount and any additional fee’s incurred in brokering and completing the deal.
From experience, be very careful with this one as paying the fee doesn’t always result in regaining access. You must remember you are dealing with criminals and they have no ‘money back’ policy or terms and conditions. The first instance should always be to report the crime to the police, Action Fraud and your insurer. Have a defined internal response plan or playback and follow it.
Hacker damage/Asset replacement
This is a big one for my retail and manufacturing clients as it will deal with damage sustained to digital assets and equipments, something critical to manufacturing companies.
Now ask yourself, do you need insurance?
It’s a question only you can answer, as all risks inclusive of cyber a business risks, cyber gets no special attention if risk assessments are conducted correctly and measured unbiased only abreast of ‘likelihood’ and ‘impact’. Don’t ask the ‘sales guy’ he will convince you that it’s essential in this day and age, that he has one himself, that’s its scarce in supply, is only likely to go up in the future and you won’t be able to get that particular policy and offer again 🤗. Look at what ‘your’ business is, does and holds, if it includes sensitive or personal customer data, relies on IT systems, WWW or payment card information, it should be given serious consideration.
In principle, the notion of a cybersecurity and privacy policies which cover a business’ liability for data breach makes sense, but it’s a balancing act. You need to ensure the outlay is worthwhile and that the chosen policy isn’t too restrictive.
Threat and risk analysis, Data impact assessments, Business Impact, policy gap analysis, cost-benefit, investment analysis and much more will support your decision making. Equally, when assessing the requirement, look at your existing policies you may already hold, there is likely to be some overlap especially regarding business interruption, professional indemnity and commercial property insurance policies amongst others. The purchase of cyber insurance may supplement your existing arrangements and meet your business needs. For many of my clients, it didn’t make financial sense; for others, it was a necessity.
While cybersecurity insurance is becoming more prevalent, its adoption is still not widespread. Furthermore, as previously mentioned, it does nothing to safeguard you from the incident. In the same way home insurance works, you need to meet specific criteria and won’t likely get reimbursed if you were found to have left all your windows and doors open with your finery on display.
Personally speaking, I am an advocate of insurance policies when the business model suits and the policy is well considered. However, be under no illusion that the policy is likely to be challenged by insurers when dealing with the post-incident review and any subsequent settlement. If your systems have been found wanting, don’t be surprised if the settlement doesn’t fall in your favour. Insurers will always scrutinise the claimants actions when dealing with any potential payout. If the policy isn’t watertight, be prepared for a bumpy ride.
By way of example, Zurich (an American Insurance Company and household name), recently refused to pay out on a Mondelez (a major US snack food manufacturer) policy. The policy in question explicitly stated it covered “all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.” However, in the wake of Mondelez being subjected to the ‘NotPetya’ ransomware infection, Zurich refused to foot the bill claiming it was a ‘state-backed’, ‘act of war’ and therefore outside the parameters of the policy. Zurich offered a full and final settlement of $10M – significantly less than the total cost of the incident. Mondelez has now brought about a claim to sue their insurance company for $100M. I’ll keep you updated on the result of this as it will change things either way.
If Zurich were to win, it would do two things overnight; 1) Companies will need to review their policies to ensure cover for potentially, ‘state-backed’, acts of war; 2) The creation of a ‘new’ cyber attack insurance market. If Mondelez were to win; premiums would likely rise significantly to reflect the risks exposed to an insurer.
I implore you to consider your business model, the policy components you require, and the cost to your business with or without insurance. If you’ve Identified the threats and risks, analysed the impact and evaluated your mitigation options you will arrive at the natural conclusion as to wether it presents a strong value proposition to your business or not. Irrespective, your cyber security programme must take precedence, be well considered and resourced accordingly, your insurance policy is not a substitute.
Thanks for your time.
If you would like to discuss your cyber security needs, get in touch today – www.CyberSavvyBusiness.com
We differ from other consultancies.
Find out more about us.